This is referred to as a left join, which is shown in the following image. If there is a match between an event and the host_info lookup dataset, you want to display the kind and status from the host_info lookup dataset with each event. You want to enrich the event data with information from the host_info lookup dataset, which contains information about known you want every event that matches the search criteria to appear in the search results. Enrich event data with a lookup dataset using the JOIN clauseĬonsider the following data from a set of events with login information: Here's the updated search using the rename option:ġ0. You have two options, you can either rename the aggregation field count(action) in the SELECT clause using the AS keyword, or you can enclose the field name in single quotations, such as ORDER BY 'count(action)' DESC. The ORDER BY clause will not sort on a field name that is an aggregation because it contains special characters, the parenthesis. However, the name of the count field in the output is the name of the aggregation specified in the SELECT clause, count(action). You want to sort the results in descending order based on the count. Suppose you use the following search to return count of the actions taken, grouped by the productId field.īy default the results are sorted on the GROUP BY field, productId. Sorting search results using the ORDER BY clause There are several ways to specify a time span with the GROUP BY clause, see from command syntax details.ĩ. The following search returns web access error information, grouped by host in 5 minute time spans. When using the from command, if the GROUP BY clause is specified, the SELECT clause must also be specified. You can arrange search results in groups using a time span. Specify a time span in the GROUP BY clause In this example, the SELECT clause contains the aggregation avg(cpu_usage): The SELECT clause must contain either an aggregation or the fields in the GROUP BY clause. In this example a single field, host, is specified. You can specify one or more fields to group by. Specify a single field in the GROUP BY clause The following search looks for the terms invalid AND user AND sshd and returns the events that contain all three terms:įor more information, see Search literals in expressions in the SPL2 Search Manual.ħ. To specify a search literal, you enclose the list of terms in backtick characters ( ` ). An AND operator is implied between the terms specified in the search literal. You can search for multiple terms in your events by using a search literal in the WHERE clause. For more information about the like function, see Comparison and Conditional functions.įor more information about logical operators, see Predicate expressions in the SPL2 Search Manual. The WHERE clause does not support the asterisk ( * ) wildcard character. The WHERE clause uses the like function to perform a search with wildcard. WHERE like(source, "%license%") AND type="usage" You need to separate multiple expressions using logical operators, such as AND and OR. Use the WHERE clause to filter the data by specifying one or more expressions. Specify multiple expressions in the WHERE clause The like function supports several syntaxes, see Comparison and Conditional functions.ĥ. However you can use the like function to perform a wildcard search. The WHERE clause does not support the wildcard character ( * ). You can use a wildcard to search for only internal fields, which begin with an underscore ( _ ) character. You must enclose the wildcard syntax in single quotation marks. You can use a wildcard character ( * ) in the SELECT clause to search for similar field names. The following search looks for data in the EMEA and APAC indexes: See Comparison and Conditional functions. To use a wildcard in the WHERE clause, you cannot use the asterisk ( * ) wildcard character. SELECT earliest_time(_value), metric_name The following search looks for data in the _metrics index: For example, the previous search can also be specified this way:įROM my_index "syslog"=sourcetype. The following search shows that string values in field-value pairs must be enclosed in double quotation marks.īecause string values must be enclosed in double quotation marks, you can reverse the order of field-value pairs. Both of these clauses are valid syntax for the from command. Some of these examples start with the SELECT clause and others start with the FROM clause. These examples use uppercase for readability. You can specify the clauses in the from command in uppercase or lowercase. To learn more about the from command, see How the from command works. The following are examples for using the SPL2 from command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |